Flashlight spam (and others)
Mike Hodson
mystica at gmail.com
Sat Dec 17 18:59:48 CET 2016
(and here is the post that was supposed to go to the mailinglist, but
didn't, because of bloody gmail not replying-all by default. grr.)
On Sat, Dec 17, 2016 at 10:40 AM, Dino Edwards <
dino.edwards at mydirectmail.net> wrote:
Am I looking at this right? Does BAYES_00 assign a score of -4 on these
messages?
I believe you are; and I do not believe this is how a bayes score should be
set..
-----Original Message-----
* 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
* 0.8 RDNS_NONE Delivered to internal network by a host with no
rDNS
These 2 tests are not doing anything useful IMHO: if DKIM exists, and _is_
invalid, it should be an immediate spam flag.
No RDNS is a huge flag for an illegitamite mail spam server.
These should both be adding _way_ more points than the bayes_00 is
dropping...and bayes should not be dropping so much if at all.

Mike
On Sat, Dec 17, 2016 at 10:40 AM, Dino Edwards <
dino.edwards at mydirectmail.net> wrote:
> Am I looking at this right? Does BAYES_00 assign a score of -4 on these
> messages?
>
>
>
> -----Original Message-----
> From: amavis-users [mailto:amavis-users-bounces+dino.edwards=
> mydirectmail.net at amavis.org] On Behalf Of @lbutlr
> Sent: Saturday, December 17, 2016 12:12 PM
> To: amavis-users at amavis.org
> Subject: Flashlight spam (and others)
>
> I keep getting a rash of multiples of flashlight spam and gift card spam,
> all of which go sailing right through amavisd/postfix. Has anyone figured
> out a way to have amavis be more aggressive in tagging spam like this?
> Obviously BAYES_00 doesn't help, but even without that this spam would not
> have gotten tagged. There are hundreds of these hitting the server every
> day. and dozens just to me.
>
> I run these through sa-learn but the bayes score never changes.
>
> Return-Path: <nighthawk_gear-kreme=kreme.com at webmasterbond.com>
> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.covisp.net
> X-Spam-Level:
> X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,DCC_CHECK,DKIM_
> SIGNED,
> HTML_IMAGE_ONLY_24,HTML_MESSAGE,MIME_HEADER_CTYPE_ONLY,RDNS_NONE,
> T_DKIM_INVALID,T_REMOTE_IMAGE autolearn=no autolearn_force=no
> version=3.4.1
> X-Spam-Report:
> * -4.0 BAYES_00 BODY: Bayes spam probability is 0 to 1%
> * [score: 0.0005]
> * 1.6 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes
> of words
> * 0.0 HTML_MESSAGE BODY: HTML included in message
> * 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily
> * valid
> * 0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without
> required MIME
> * headers
> * 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
> * 0.8 RDNS_NONE Delivered to internal network by a host with no
> rDNS
> * 0.0 T_REMOTE_IMAGE Message contains an external image
> X-Original-To: kreme at covisp.net
> Delivered-To: kreme at covisp.net
> Received: from mail.covisp.net (localhost [127.0.0.1])
> by mail.covisp.net (Postfix) with ESMTP id 3tdYyT1XkSzv9rl
> for <kreme at covisp.net>; Tue, 13 Dec 2016 15:18:57 -0700 (MST)
> X-Virus-Scanned: amavisd-new at covisp.net
> Authentication-Results: mail.covisp.net (amavisd-new);
> dkim=fail (1024-bit key) reason="fail (message has been altered)"
> header.d=webmasterbond.com; domainkeys=fail (1024-bit key)
> reason="fail (message has been altered)"
> header.from=nighthawk_gear at webmasterbond.com
> header.d=webmasterbond.com
> Received: from mail.covisp.net ([127.0.0.1])
> by mail.covisp.net (mail.covisp.net [127.0.0.1]) (amavisd-new,
> port 10024)
> with ESMTP id r-XqbA5JCtTg; Tue, 13 Dec 2016 15:18:56 -0700 (MST)
> Received: from mail.webmasterbond.com (unknown [198.8.81.152])
> by mail.covisp.net (Postfix) with ESMTP id 3tdYyS2Ml3zv9nS
> for <kreme at kreme.com>; Tue, 13 Dec 2016 15:18:56 -0700 (MST)
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=
> webmasterbond.com; h=Date:From:To:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID;
> i=nighthawk_gear at webmasterbond.com;
> bh=Nfvn/X9O8Y5jCQWPbZvyxy5pEJs=;
> b=08U1qR944mcwcnBaCEjkN1b8iN4XtgEfXueH4gFGbi0qj9w/
> JjTSYcZPFCYLdbEVqvGEDFEC6g62
> 5q6vcIw7XmAay+1m/fDVL2FI92BknfLIqfzkz8d0fOjMoaV
> 1S7QzK/MrOvMk6EPdKAag/vpGlJl1
> bNoPkwyDMhgF/lXublE=
> DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=
> webmasterbond.com; b=r8P3mRUN7wdwD7vtnsIBOjXmsHlvX3P0+
> vEKGYk5ps4fCy6wG6EIO3tNDMnl++qDIFoNfkuC1eiT
> CqFTK97eGEjVLqLP8CA9fKmPL/3Cc+bO4Y0vUmZj8CzDxWieatvHhpHyTN6o
> Ib0RYqtnEjfmsngo
> czhaTSi1tu24k+xFKK4=;
> Received: by mail.webmasterbond.com id ha1pt00001gf for <kreme at kreme.com>;
> Tue, 13 Dec 2016 16:17:04 -0600 (envelope-from <nighthawk_gear-kreme=
> kreme.com at webmasterbond.com>)
> Date: Tue, 13 Dec 2016 16:17:04 -0600
> From: "NightHawk Gear" <nighthawk_gear at webmasterbond.com>
> To: <kreme at kreme.com>
> Subject: New LED flashlight technology released
> Content-Type: multipart/alternative;
> boundary="----=_Part_463_1589181058.1481667409330"
> X-SMTPAPI: {"category": "20161213-161042-880-4573"}
> List-Unsubscribe: <http://www.webmasterbond.com/green/
> 6488G9C11BKT1163qwlOgOFwlOgOzMig964/call>
> Feedback-ID: 201612131610428804573
> Message-ID: <0.0.0.4C.1D2558EA2A0749A.6C0649 at mail.webmasterbond.com>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20161217/b400ed2f/attachment.html>
More information about the amavis-users
mailing list